Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to add HSTS header when redirecting traffic in load balancer?

0

How can we set the redirection action response’s HSTS header, such as: Strict-Transport-Security ‘max-age=XXXXXXXXXX’ Attached are the screenshots of our load balancer, where we need to add strict HSTS header. Enter image description here Enter image description here

Topics
Networking & Content Delivery
Tags
Elastic Load Balancing
Language
English
asked 3 years ago20.1K views
2 Answers
0

Hello,

HSTS is specified by a Web Application on the Back-end through the use of a special response header (the Strict-Transport-Security HTTP response header field) and force Clients to be able to direct their User Agent(s) to interact with given sites only over secure connections [1].

Stack overflow: Enabling HSTS in AWS ELB application load balancer

Currently, ELB natively does not support HSTS. HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application using a special response header. Since it is an application level configuration, it needs to be enabled only on the back-end server(s) (targets).

A workaround for HSTS to operate with an ELB is to enable HSTS on the backend instance. The ELB will forward the "Strict-Transport-Security" header to clients without altering it.

HTTP Strict Transport Security Cheat Sheet

Please refer to the documentations on how to set up HSTS headers in your backend instance(s). [2][3]

Further, if you are using ALB, there would be another option to use CloudFront service in front of the ALB (since ALB does not support HSTS). Kindly refer the following article to learn more

[+] How do I add HTTP security headers to CloudFront responses?

References:

  1. RFC on HSTS: https://tools.ietf.org/html/rfc6797
  2. IT IGLOO: https://itigloo.com/security/how-to-configure-http-strict-transport-security-hsts-on-apache-nginx/
  3. HTTP Strict Transport Security for Apache, NGINX and Lighttpd: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
AWS
SUPPORT ENGINEER
answered 3 years ago
  • Juraj
    2 years ago

    While the answer makes sense, I would like to point out that the backend servers typically only speak HTTP and so they aren't in the best position to add this header. The software running there might need to run in a plain HTTP mode in which case it cannot add HSTS header. I think it would make more sense for ALB to add the header, especially if it terminates TLS connections.

0

Using insert headers, you can now configure your Application Load Balancer to add security-related headers to responses.:

1>https://aws.amazon.com/about-aws/whats-new/2024/11/aws-application-load-balancer-header-modification-enhanced-traffic-control-security/

2>HTTP header modification for your Application Load Balancer - Add response headers - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/header-modification.html#insert-header

AWS
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content